Secret computation method, secret computation system, secret computation apparatus, and program

ABSTRACT

A power is computed at high speed with a small number of communication rounds. A secret computation system that includes three or more secret computation apparatuses computes a share [a ν ] of the ν-th power of data “a” from a share [a] of data “a” while data “a” is concealed. The share [a] of data “a” and an exponent ν are input to an input unit (step S 11 ). A local operation unit computes the p u -th power of a share [a t ] of the t-th power of data “a” without communication with the other secret computation apparatuses (step S 12 ). A secret computation unit uses secret computation that requires communication with the other secret computation apparatuses to compute a multiplication in which at least one of the multiplicands is [a (t*p{circumflex over ( )}u) ], the computation result of the local operation unit, to obtain the share [a ν ] (step S 13 ). An output unit outputs the share [a ν ] (step S 14 ).

TECHNICAL FIELD

The present invention relates to secret computation techniques, and more specifically, to a technique that computes, while concealing data, a power of the data.

BACKGROUND ART

Secret computation technology for analyzing sensitive data while concealing it, in order to share and analyze the data, has been researched. One type of such a technology uses a method called secret sharing in which data is divided into a plurality of pieces called shares. In order to perform various analyses while the data is concealed, protocols have been proposed to perform operations on the concealed data, such as multiplication, addition, and sorting (see Non-Patent Literature 1 and Non-Patent Literature 2, for example).

Suppose that a power of data is computed while the data is concealed. The Binary method is usually used to compute a power, for example, to compute [a⁹] from [a], wherein [a] indicates data “a” being concealed. The Binary method repeats multiplication to compute a desired power. The Binary method computes [a⁹] in the following way, wherein Mult indicates the procedure of multiplication.

1. [a²]←Mult([a], [a])

2. [a⁴]←Mult([a²], [a²])

3. [a⁸]←Mult([a⁴], [a⁴])

4. [a⁹]←Mult([a⁸], [a])

PRIOR ART LITERATURE Non-Patent Literature

-   Non-Patent Literature 1: Dai Ikarashi, Ryo Kikuchi, Koki Hamada, and     Koji Chida, “Actively private and correct MPC scheme in t<n/2 from     passively secure schemes with small overhead”, IACR Cryptology     ePrint Archive, vol. 2014, p. 304, 2014. -   Non-Patent Literature 2: Toshinori Araki, Jun Furukawa, Yehuda     Lindell, Ariel Nof, and Kazuma Ohara, “High-Throughput Semi-Honest     Secure Three-Party Computation with an Honest Majority”, ACM CCS     2016.

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

To compute a power with the Binary method, it is necessary to perform multiplication O(log m) times to compute the m-th power. In secret computation, communication is required for multiplication, which serves as a bottleneck for performance. Therefore, it is desirable that a power be computed with a smaller number of multiplication calls.

An object of the present invention is to provide secret computation technology that computes a power of data while concealing the data, with a small number of communication rounds.

Means to Solve the Problems

To solve the problems described above, a secret computation method according to a first aspect of the present invention is a secret computation method in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation method computing a share [a^(ν)] of the ν-th power of data a from a share [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses. The secret computation method includes computing the p^(u)-th power of a share [a^(t)] of the t-th power of data a in a local operation unit of one of the three or more secret computation apparatuses without communication with the other secret computation apparatuses; and obtaining the share [a^(ν)] in a secret computation unit of the one of the three or more secret computation apparatuses by computing a multiplication in which at least one of the multiplicands is [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, using secret computation that requires communication with the other secret computation apparatuses.

A secret computation method according to a second aspect of the present invention is a secret computation method in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), r is a random number that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, <a>:=([a], [ra]) is a randomized shared value of data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation method computing a randomized shared value <a^(ν)>:=([a^(ν)], [ra^(ν)]) of the ν-th power of data a from a randomized shared value [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses. The secret computation method includes computing the p^(u)-th power of a share [a^(t)] of the t-th power of data a in a local operation unit of one of the three or more secret computation apparatuses without communication with the other secret computation apparatuses; obtaining a randomized shared value <a^((t*p{circumflex over ( )}u))>:=([a^((t*p{circumflex over ( )}u))], [r a^((t*p{circumflex over ( )}u))]) of the computation result of the local operation unit in a randomizing unit of the one of the three or more secret computation apparatuses by multiplying [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, with a share [r] of the random number r using secret computation that requires communication with the other secret computation apparatuses; and obtain the randomized shared value <a^(ν)> in a secret computation unit of the one of the three or more secret computation apparatuses by computing a multiplication in which at least one of the multiplicands is a randomized shared value <a^((t*p{circumflex over ( )}u))>, of the computation result of the local operation unit using secret computation that requires communication with the other secret computation apparatuses.

Effects of the Invention

According to the present invention, since some operations are performed locally when a power of data is computed while the data is concealed, the power is computed at high speed with a small number of communication rounds.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an example of the functional configuration of a secret computation system according to a first embodiment;

FIG. 2 is a diagram showing an example of the functional configuration of a secret computation apparatus according to the first embodiment;

FIG. 3 is a diagram showing an example of the processing procedure of a secret computation method according to the first embodiment;

FIG. 4 is a diagram showing an example of the functional configuration of a secret computation system according to a second embodiment;

FIG. 5 is a diagram showing an example of the functional configuration of a secret computation apparatus according to the second embodiment; and

FIG. 6 is a diagram showing an example of the processing procedure of a secret computation method according to the second embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the present invention will be described below in detail. Components having identical functions will be denoted by the same reference numbers in the figures, and duplication of description thereof will be omitted.

Notation

A superscript indicates a power and the sign {circumflex over ( )} in a superscript also means a power. For example, a^(b) means the b-th power of a, and a^(b{circumflex over ( )}c) means the b^(c)-th power of a.

Data obtained by concealing data “a” with encryption or secret sharing is called the secure text of “a” and is indicated by [a]. “a” is called the plaintext of [a]. When secret sharing is used in concealment, [a] is called a share or a shared value of data “a”.

A randomized shared value of data “a” is indicated by <a>. A randomized shared value is a pair of a share [a] of data “a” and a share [ra] of the product “ra” of data “a” and a random number “r”. Therefore, a randomized shared value of data “a” can be defined as: <a>:=([a], [ra]).

In the randomized shared value <a>:=([a], [ra]), [a] is called the 0-th component and [ra] is called the first component. See Non-Patent Literature 1 for detecting secret falsification with randomized shared values.

A field to which data and shares belong to is called GF(p^(k)), and hereinafter, all operations are performed on GF(p^(k)), wherein p is called a characteristic and k is called a degree of field extension. For example, when a, b∈GF(7), a+b is obtained by adding a and b and applying mod 7 to the sum. When a, b∈GF(2⁸), a+b is obtained by applying XOR to the corresponding bits of a and b expressed in bits.

Additive Secret Sharing

Additive secret sharing is a secret sharing method in which data “a” is divided into the sum or difference of a plurality of shares a, (i=0, 1, . . . , m−1), as shown in the formula below, and sharing and reconstructing are performed only by addition and subtraction.

a=Σ _(i=0) ^(m−1) ±a _(i)

In additive secret sharing, when all of m shares a₀, a₁, . . . , and a_(m−1) are obtained from some servers, the original data “a” can be reconstructed; if any of the shares a₀, a₁, . . . , and a_(m−1) is not obtained, the original data “a” cannot be reconstructed.

Replicated Secret Sharing

Replicated secret sharing formed of the following Share and Rec protocols can be used as additive secret sharing. The Share protocol divides plaintext into shares, and the Rec protocol reconstructs the plaintext from the shares. In the present invention, however, any method can be used as long as the method has the characteristics of additive secret sharing, even if the method is not replicated secret sharing.

It is assumed that [a] indicates the whole share of data “a” and [a]_(i) indicates a share held by a server “i” among the share [a]. When data “a” is divided and held by three servers (servers 0, 1, and 2), data “a” is divided into a₀, a₁, and a₂ in advance according to the following Share protocol, and servers 0, 1, and 2 respectively store [a]₀:=(a₀, [a]₁:=(a₁ a₂), and [a]₂:=(a₂, a₀). When data “a” is reconstructed, at least two of the shares [a]₀, [a]₁, and [a]₂ are collected to obtain a₀, a₁, and a₂, and they are added to compute data “a” according to the following Rec protocol.

The Share protocol is, for example, the following protocol.

Input: a

Output: ([a]₀, [a]₁, [a]₂)

1. a₁, a₂←GF(p^(k))

2. a₀:=a−(a₁+a₂)

3. [a]_(i):=(a_(i+1 mod 3)) for i∈{0, 1, 2}

4. return ([a]₀, [a]₁, [a]₂)

The Rec protocol is, for example, the following protocol.

Input: [a]_(i0), [a]_(i1) (i₀, i₁∈{0, 1, 2})

Output: a

1. Obtain a₀, a₁, a₂ from [a]_(i0), [a]_(i1)

2. return a:=a₀+a₁+a₂

Modification of Replicated Secret Sharing

The following secret sharing can be used as a modification of replicated secret sharing.

The Share protocol is, for example, the following protocol.

Input: a

Output: ([a]₀, [a]₁, [a]₂)

1. a₁, a₂←GF(p^(k))

2. a₀:=−(a₁+a₂)

3. [a]_(i):=(a_(i), a_(i−1 mod 3)−a) for i∈{0, 1, 2}

4. return ([a]₀, [a]₁, [a]₂)

The Rec protocol is, for example, the following protocol.

Input: [a]_(i0), [a]_(i1) (i₀, i₁∈{0, 1, 2})

Output: a

1. Obtain a_(i mod 3), a_(i+1 mod 3), (a_(i+2 mod 3)−a) from [a]_(i0), [a]_(i1) for some i∈{0, 1, 2}

2. return a:=−(a₀+a₁+a₂)

Definition of Operations

Mult indicates multiplication in additive secret sharing. More specifically, Mult is a protocol in which, when three servers (servers 0, 1, and 2) respectively store two shares of additive secret sharing, ([a]₀, [b]₀), [b]₁), and ([a]₂, [b]₂), servers 0, 1, and 2 respectively perform communication and computation to finally obtain [ab]₀, [ab]₁, and [ab]₂. Such an operation is indicated by [ab]←Mult([a], [b]). Mult can be performed by a multiplication protocol in a known secret computation. For example, the protocol described in Scheme 11 in Non-Patent Literature 1 may be used in replicated secret sharing, and a protocol described in Non-Patent Literature 2 may be used in the modification of replicated secret sharing. In the following embodiments, Scheme 11 described in Non-Patent Literature 1 is used as Mult. In that case, every time Mult is called, it is counted as one communication round.

LocalExp indicates an operation in which each server computes a power of a share owned by the server. More specifically, when servers 0, 1, and 2 respectively store [a]₀=(a₀, a₁), [a]₁=(a₁ a₂), and [a]₂=(a₂, a₀), servers 0, 1, and 2 respectively compute [a^(u)]₀=(a^(u) ₀, a^(u) ₁), [a^(u)]₁=(a^(u) ₁ a^(u) ₂), and [a^(u)]₂=(a^(u) ₂, a^(u) ₀) in this protocol. Such an operation is indicated by [a^(u)]:=LocalExp([a], u). Since LocalExp only computes a power of a value locally held, communication with another server does not occur.

DoubleMult indicates an operation in which two pairs of secure text are input, and the secure text in the different pairs are multiplied to obtain the resultant secure text. More specifically, ([a], [a′]) and ([b], [b′]) are input, and ([ab], [a′b′]) is output. Such an operation is indicated by ([ab], [a′b′])←DoubleMult(([a], [a′]), ([b], [b′])). DoubleMult can be performed by any known protocol. For example, such a protocol is described in Non-Patent Literature 1. In that case, every time DoubleMult is called, it is counted as one communication round. DoubleMult can be performed by performing Mult twice. More specifically, [ab]←Mult([a], [b]) and [a′b′]←Mult([a′], [b′]) may be performed. In that case, since the two Mult operations can be executed in parallel, one communication round is required as in DoubleMult.

Principle of the Invention

The present invention uses a characteristic called Frobenius endomorphism. This means that the following formula holds on GF(p^(u)) for any u∈Z, wherein Z is a set of integers.

(a+b)^(p) ^(u) =a ^(p) ^(u) +b ^(p) ^(u)

For simplicity,

a=Σ _(i=0) ^(m−1) a _(i)

is assumed here. However,

a=Σ _(i=0) ^(m−1) ±a _(i)

also holds even if the plus and minus signs are randomly used.

When this relationship is applied to the relationship between plaintext and shares in additive secret sharing, (a=a₀+a₁+ . . . +a_(m−1)), the following formula holds.

$\begin{matrix} \begin{matrix} {a^{p^{u}} = \left( {\left( {a_{0} + a_{1} + \ldots + a_{m - 2}} \right) + a_{m - 1}} \right)^{p^{u}}} \\ {= {\left( {a_{0} + a_{1} + \ldots + a_{m - 2}} \right)^{p^{u}}\left( a_{m - 1} \right)^{p^{u}}}} \\ {= \ldots} \\ {= {\left( a_{0} \right)^{p^{u}} + \left( a_{1} \right)^{p^{u}} + \ldots + \left( a_{m - 1} \right)^{p^{u}}}} \end{matrix} & (1) \end{matrix}$

The left side of Formula (1) is plaintext “a” raised to the power of a power of a characteristic, and the right side is the sum of the shares a₀, a₁, . . . , a_(m−1), of plaintext “a”, each raised to the power of a power of the characteristic. When a′:=a^(p{circumflex over ( )}u) and a_(i):=a_(i) ^(p{circumflex over ( )}u) for i=0, 1, . . . , m−1 are defined, it is found from Formula (1) that the relationship, a′=a′₀+a′₁+ . . . +a′_(m−1), between plaintext and shares in additive secret sharing holds. In other words, in order to compute [a^(p{circumflex over ( )}u)] from [a], each party just needs to compute the p^(u)-th power of its share and does not need any communication at all.

By using this method, a power of any number can be computed at a higher speed. For example, in order to compute [a⁹⁶] from [a] in GF(2⁸), [a⁶⁴]=[a^(2{circumflex over ( )}6)] and [a³²]=[a^(2{circumflex over ( )}5)] are locally computed, and Mult ([a⁶⁴], [a³²]) is computed to obtain [a⁹⁶], as shown below. The required number of communication times is one for the Mult operation.

1. [a⁶⁴]:=LocalExp([a], 2⁶)

2. [a³²]:=LocalExp([a], 2⁵)

3. [a⁹⁶]←Mult([a⁶⁴], [a³²])

Since the conventional Binary method requires seven Mult operations, as shown below, the above-described method achieves a much higher speed.

1. [a²]←Mult([a], [a])

2. [a⁴]←Mult([a²], [a²])

3. [a⁸]←Mult([a⁴], [a⁴])

4. [a¹⁶]←Mult([a⁸], [a⁸])

5. [a³²]←Mult([a¹⁶], [a¹⁶])

6. [a⁶⁴]←Mult([a³²], [a³²])

7. [a⁹⁶]←Mult([a⁶⁴], [a³²])

For Detecting Falsification

It has been confirmed that, in order to compute the power of a power of a characteristic [a^(p{circumflex over ( )}u)] from a share [a] obtained in additive secret sharing, each party needs to compute the p^(u)-th power of its share. However, when it is assumed that an attacker who tries to perform falsification in secret computation exists and the method for detecting falsification, described in Non-Patent Literature 1 is used, each party holds a randomized shared value <a>:=([a], [ra]), which is a pair of a share [a] obtained in additive secret sharing and a randomized share [ra]. Each party also holds a share [r] separately, which is obtained by applying additive secret sharing to a random number.

The input and output of the computation of the power of a power of a characteristic used when it is assumed that an attacker who tries to perform falsification exists are <a>:=([a], [ra]) and <a^(p{circumflex over ( )}u)>:=([a^(p{circumflex over ( )}u)], [ra^(p{circumflex over ( )}u)]) respectively. If the above-described computation of the power of a power of a characteristic is directly applied to the randomized share [ra], since the first component would be [(ra)^(p{circumflex over ( )}u)]=[r^(p{circumflex over ( )}u)a^(p{circumflex over ( )}u)], not [ra^(p{circumflex over ( )}u)], the desired output is not obtained. Therefore, the computation of the power of a power of a characteristic is not applied to the randomized share [ra], but the computation of the power of a power of a characteristic is applied to [a], and the resultant [a^(p{circumflex over ( )}u)] is multiplied with [r] to obtain [ra^(p{circumflex over ( )}u)]. In short, to obtain <a^(p{circumflex over ( )}u)>=([a^(p{circumflex over ( )}u)], [ra^(p{circumflex over ( )}u)]) from <a>=([a], [ra]), [a] is raised to the p^(u)-th power to obtain [a^(p{circumflex over ( )}u)] and then Mult([a^(p{circumflex over ( )}u)], [r]) is computed to obtain [ra^(p{circumflex over ( )}u)].

First Embodiment

A secret computation system according to a first embodiment includes n≥3) secret computation apparatuses 1 ₁ to 1 _(n), as exemplified in FIG. 1. The secret computation apparatuses 1 ₁ to 1 _(n) are connected separately to a communication network 3. The communication network 3 is a circuit-switching or packet-switching communication network configured to allow mutual communication between the secret computation apparatuses 1 ₁ to 1 _(n), and the Internet, a local area network (LAN), a wide area network (WAN) or the like can be used, for example. Each apparatus does not necessarily have to be able to perform communication online via the communication network 3. For example, information to be input to the secret computation apparatus 1 _(i) (i □ {1, . . . , n}) may be stored on a portable recording medium, such as a magnetic tape or a USB memory, and may be input offline from the portable recording medium.

The secret computation apparatus 1 includes an input unit 11, a local operation unit 12, a secret computation unit 14, and an output unit 15, as exemplified in FIG. 2. A secret computation method of the first embodiment is implemented when this secret computation apparatus 1 executes the processes of steps exemplified in FIG. 3 in cooperation with other secret computation apparatuses 1.

The secret computation apparatus 1 is, for example, a special apparatus configured by reading a special program into a known or special computer having a central processing unit (CPU), a main memory (a random access memory: RAM), and other components. The secret computation apparatus 1 executes processing under the control of the central processing unit, for example. Data input to the secret computation apparatus 1 or data obtained by processing is stored in the main memory, for example, and the data stored in the main memory is read into the central processing unit and used for other processing when necessary. At least some of the processing sections of the secret computation apparatus 1 may be configured by hardware such as integrated circuits.

The processing procedure of the secret computation method in the first embodiment will be described below with reference to FIG. 3.

In step S11, a share [a] obtained by applying additive secret sharing to data “a”, which is subjected to operations, and the exponent ν (≥2) of a power to be applied to data “a” are input to the input unit 11. The share [a] and the exponent ν are sent to the local operation unit 12.

In step S12, without performing communication with another secret computation apparatus, the local operation unit 12 computes the power of a power of a characteristic, that is, the p^(u)-th power, of a share [a^(t)] obtained by applying additive secret sharing to the t-th power of data “a” and obtains a share [a^(t*p{circumflex over ( )}u)] by applying additive secret sharing to the p^(u)-th power of data “a^(t)”. That is, [a^(t*p{circumflex over ( )}u)]:=LocalExp([a^(t)], p^(u)) is computed, wherein “u” and “t” are integers equal to or larger than 1 and satisfy t*p^(u)≤ν. The local operation unit 12 may perform executions a plurality of number of times to obtain a share [a^(ν)] by applying additive secret sharing to the ν-th power of data “a”, but “t” equals 1 at least for the first time of execution, and the p^(u)-th power of a share [a] obtained by applying additive secret sharing to data “a” is computed.

In step S13, the secret computation unit 14 performs secret computation in cooperation with other secret computation apparatuses to multiply a share [a^(α)] obtained by applying additive secret sharing to the α-th power of data “a”, with a share [a^(β)] obtained by applying additive secret sharing to the β-th power of data “a”. That is, [a^(α+β)]←Mult([a^(α)], [b^(β)]) is computed, wherein α and β are integers equal to or larger than 1 and satisfy α+β≤ν. Either [α^(a)] or [a^(β)] is a share [a^(t*p{circumflex over ( )}u)] obtained in the local operation unit 12 by applying additive secret sharing to the p^(u)-th power of data “a^(t)”. That is, α=t*p^(u) or β=t*p^(u). The secret computation unit 14 may perform executions a plurality of number of times to obtain a share [a^(ν)] by applying additive secret sharing to the ν-th power of data “a”.

In step S14, when the computational result of the local operation unit 12 or the secret computation unit 14 becomes a share [a^(ν)] obtained by applying additive secret sharing to the ν-th power of data “a”, the output unit 15 outputs the share [a^(ν)].

Second Embodiment

In a second embodiment, a secret computation system can detect falsification made in power computation using secret computation. The secret computation system of the second embodiment includes n (≥3) secret computation apparatuses 2 ₁, . . . , and 2 _(n), as exemplified in FIG. 4.

The secret computation apparatus 2 includes an input unit 11, a local operation unit 12, a randomizing unit 13, a secret computation unit 14, and an output unit 15, as exemplified in FIG. 5. A secret computation method of the second embodiment is implemented when this secret computation apparatus 2 executes the processes of steps exemplified in FIG. 6 in cooperation with other secret computation apparatuses 2.

The processing procedure of the secret computation method in the second embodiment will be described below with reference to FIG. 6.

In step S21, a randomized shared value <a>:=([a], [ra]) obtained by applying additive secret sharing to data “a”, which is subjected to operations, a share [r] obtained by applying additive secret sharing to the random number “r” used when the randomized shared value <a> was generated, and the exponent ν of a power to be applied to data “a” are input to the input unit 11. The randomized shared value <a>, the share [r], and the exponent ν are sent to the local operation unit 12.

In step S22, without performing communication with another secret computation apparatus, the local operation unit 12 computes the power of a power of a characteristic, that is, the p^(u)-th power, of a share [a^(t)] obtained by applying additive secret sharing to the t-th power of data “a” and obtains a share [a^(t*p{circumflex over ( )}u)] by applying additive secret sharing to the p^(u)-th power of data “a^(t)”. That is, [a^(t*p{circumflex over ( )}u)]:=LocalExp([a^(t)], p^(u)) is computed. The share [a^(t*p{circumflex over ( )}u)] is sent to the randomizing unit 13.

In step S23, the randomizing unit 13 performs secret computation in cooperation with other secret computation apparatuses to multiply the computation result [a^((t*p{circumflex over ( )}u))] of the local operation unit 12 with a share [r] obtained by applying additive secret sharing to a random number “r”. That is, [ra^((t*p{circumflex over ( )}u))]←Mult([a^((t*p{circumflex over ( )}u))], [r]) is computed. With this, a randomized shared value <a^((t*p{circumflex over ( )}u))>:=([a^((t*p{circumflex over ( )}u))], [ra^((t*p{circumflex over ( )}u))]) of the p^(u)-th power of data a^(t) is generated. The randomizing unit 13 may also multiply the computation result [a^((t*p{circumflex over ( )}u))] of the local operation unit 12 with the first component [ra^(s)] of another randomized shared value <a^(s)>:=([a^(s)], [ra^(s)]). That is, [ra^((t*p{circumflex over ( )}u)+s)]←Mult([a^((t*p{circumflex over ( )}u))], [ra^(s)]) may be computed, wherein “s” is an integer equal to or larger than 1 and satisfies t*p^(u)+s≤ν. At the same time, the secret computation unit 14 can multiply the computation result [a^((t*p{circumflex over ( )}u)+s)] of the local operation unit 12 with the 0th component [a^(s)] of another randomized shared value <a^(s)>:=([a^(s)], [ra^(s)]) to obtain [a^((t*p{circumflex over ( )}u)+s)]←Mult([a^((t*p{circumflex over ( )}u))], [a^(s)]) to generate a randomized shared value <a^((t*p{circumflex over ( )}u)+s)>:=([a^((t*p{circumflex over ( )}u)+s)], [ra^((t*p{circumflex over ( )}u)+s)]) of the product of the p^(u)-th power of data “a^(t)” and data “a^(s)”.

In step S24, the secret computation unit 14 performs secret computation in cooperation with other secret computation apparatuses to multiply a randomized shared value <a^(α)>:=[a^(α)], [ra^(α)]) obtained by applying additive secret sharing to the α-th power of data “a”, with a randomized shared value <a^(β)>:=([a^(β)], [ra^(β)]) obtained by applying additive secret sharing to the β-th power of data “a”. The above-described DoubleMult can be used for this multiplication. That is, <a^(α+β)>←DoubleMult(([a^(α)], [a^(α)]), ([a^(β)], [ra^(β)])) is computed. The above-described Mult may be executed twice in parallel. That is, [a^(α+β)]←Mult([a^(α)], [a^(β)]) and [ra^(α+β)]←Mult([a^(α)], [ra^(β)]) are computed, and [a^(α+β)] and [ra^(α+β)] are combined to generate <a^(α+β)>:=([a^(α+β)], [ra^(α+β)]). Either <a^(α)> or <a^(β)> is a randomized shared value <a^(t*p{circumflex over ( )}u)> obtained by applying additive secret sharing to the p^(u)-th power of data “a^(t)”. That is, α=t*p^(u) or β=t*p^(u). The secret computation unit 14 may execute these operations a plurality of number of times to obtain a randomized shared value <a^(ν)> obtained by applying additive secret sharing of the ν-th power of data “a”.

In step S25, when the computational result of the randomizing unit 13 or the secret computation unit 14 becomes a randomized shared value <a^(ν)> obtained by applying additive secret sharing to the ν-th power of data “a”, the output unit 15 outputs the randomized shared value <a^(ν)>.

Specific Examples

Specific protocols implemented by the foregoing embodiments will be shown below. In the following specific examples, three-party secret computation is assumed. However, secret computation technology according to the present invention is not limited to three-party secret computation. In the following specific examples, GF(2⁸) and GF(3³) are used as examples. However, the characteristic is not limited to 2 or 3, nor is the degree of field extension limited to 8 or 3.

In a first specific example, the protocol computes a power in secret computation on a field GF(2⁸). Here, a protocol that computes [a²¹] from [a] is shown.

Input: [a]

Output: [a²¹]

1. [a¹⁶]:=LocalExp([a], 2⁴)

2. [a⁴]:=LocalExp([a], 2²)

3. [a²⁰]←Mult([a¹⁶], [a⁴])

4. [a²¹]←Mult([a²⁰], [a¹])

5. return [a²¹]

In the above-described protocol, Mult is performed twice, and the number of communication rounds is two. In contrast, when [a²¹] is computed with the Binary method, Mult is required to be performed six times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.

Input: [a]

Output: [a²¹]

1. [a²]←Mult([a], [a])

2. [a⁴]←Mult([a²], [a²])

3. [a⁵]←Mult([a⁴], [a])

4. [a¹⁰]←Mult([a⁵], [a⁵])

5. [a²⁰]←Mult([a¹⁰], [a¹⁰])

6. [a²¹]←Mult([a²⁰], [a])

7. return [a²¹]

In a second specific example, the protocol obtains an inverse element in secret computation on a field GF(2⁸). Here, a protocol that computes the inverse element [a⁻¹] from [a] is shown. Since [a⁻¹] [a²⁵⁴] from the Fermat's little theorem, obtaining the inverse element is equal to computing the 254th power.

Input: [a]

Output: [a⁻¹]=[a²⁵⁴]

1. [a²]:=LocalExp([a], 2)

2. [a³]←Mult([a²], [a])

3. [a¹²]:=LocalExp([a³], 2²)

4. [a¹⁵1←Mult(ra¹²], [a³])

5. [a¹⁴]←Mult([a¹²], [a²])

6. [a²⁴⁰]:=LocalExp([a¹⁵], 2⁴)

7. [a²⁵⁴]←Mult([a²⁴⁰], [a¹⁴])

8. return [a²⁵⁴]

In the above-described protocol, since line 4 and line 5 can be executed in parallel, the number of communication rounds is three. In contrast, when [a⁻¹] is computed with the Binary method, Mult is required to be performed 13 times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.

Input: [a]

Output: [a⁻¹]=[a²⁵⁴]

1. [a²]←Mult([a], [a])

2. [a³]←Mult([a²], [a])

3. [a⁶] ←Mult([a³], [a³])

4. [a⁷]<←Mult([a⁶], [a])

5. [a¹⁴]←Mult([a⁷], [a⁷])

6. [a¹⁵]←Mult([a¹⁴], [a])

7. [a³⁰]←Mult([a³⁰], [a³⁰])

8. [a³¹]←Mult([a³⁰], [a])

9. [a⁶²]←Mult([a³²], [a³²])

10. [a⁶³]←Mult([a⁶²], [a])

11. [a¹²⁶]←Mult([a⁶³], [a⁶³])

12. [a¹²⁷]←Mult([a¹²⁶], [a])

13. [a²⁵⁴]←Mult([a¹²⁷], [a¹²⁷])

14. return [a²⁵⁴]

In a third specific example, the power protocol in secret computation on the field GF(2⁸) is applied to falsification detection. Here, a protocol that computes <a²¹>=([a²¹], [ra²¹]) from <a>=([a], [ra]) is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.

Input: <a>=([a], [ra]), [r]

Output: <a²¹>=([a²¹], [ra²¹])

1. [a¹⁶]:=LocalExp([a], 2⁴)

2. [a⁴]:=LocalExp([a], 2²)

3. [ra⁴]←Mult([a⁴], [r])

4. ([a²⁰], [ra²⁰])←DoubleMult(([a¹⁶], [a¹⁶]), ([a⁴], [ra⁴]))

5. ([a²¹], [ra²¹])←DoubleMult(([a], [a]), ([a²⁰], [ra²⁰]))

6. return <a²¹>=([a²¹], [ra²¹])

In a fourth specific example, the inverse-element protocol in secret computation on the field GF(2⁸) is applied to falsification detection. Here, a protocol that computes <a⁻¹>=<a²⁵⁴>=([a²⁵⁴], [ra²⁵⁴]), the inverse element of <a>=([a], [ra]), is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.

Input: <a>=([a], [ra]), [r]

Output: <a⁻¹>=<a²⁵⁴>=([a²⁵⁴], [ra²⁵⁴])

1. [a²]:=LocalExp([a], 2)

2. [ra²]←Mult([a²], [r])

3. ([a³], [ra³])←DoubleMult(([a], [a]), ([a²], [ra²]))

4. [a¹²]:=LocalExp([a³], 2²)

5. ([a¹⁵], [ra¹⁵])←DoubleMult(([a¹²], [a¹²]), ([a³], [ra³]))

6. ([a¹⁴], [ra¹⁴])←DoubleMult(([a¹²], [a¹²]), ([a²], [ra²]))

7. [a²⁴⁰]:=LocalExp([a¹⁵], 2⁴)

8. ([a²⁵⁴], [ra²⁵⁴])←DoubleMult(([a²⁴⁰], [a²⁴⁰]), ([a¹⁴], [ra¹⁴]))

9. return <a²⁵⁴>=([a²⁵⁴], [ra²⁵⁴])

In a fifth specific example, the protocol computes a power in secret computation on a field GF(3³). Here, a protocol that computes [a¹⁰] from [a] is shown.

Input: [a]

Output: [a¹⁰]

1. [a⁹]:=LocalExp([a], 3²)

2. [a¹⁰]←Mult([a⁹], [a])

3. return [a¹⁰]

In the above-described protocol, Mult is performed once and the number of communication rounds is one. In contrast, when [a¹⁰] is computed with the Binary method, Mult is required to be performed four times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.

Input: [a]

Output: [a¹⁰]

1. [a²]←Mult([a], [a])

2. [a⁴]←Mult([a²], [a²])

3. [a⁵]←Mult([a⁴], [a])

4. [a¹⁰]←Mult([a⁵], [a⁵])

5. return [a¹⁰]

In a sixth specific example, the protocol obtains an inverse element in secret computation on a field GF(3³). Here, a protocol that computes the inverse element [a⁻¹] from [a] is shown. Since [a⁻¹]=[a²⁵] from the Fermat's little theorem, obtaining the inverse element is equal to computing the 25th power.

Input: [a]

Output: [a⁻¹]=[a²⁵]

1. [a⁹]:=LocalExp([a], 3²)

2. [a³]:=LocalExp([a], 3)

2. [a¹²]←Mult([a⁹], [a³])

4. [a²⁴]←Mult([a¹²], [a¹²])

5. [a²⁵]←Mult([a²⁴], [a])

8. return [a²⁵]

In the above-described protocol, Mult is performed three times, and parallel operations are not possible. Therefore, the number of communication rounds is three. In contrast, when [a⁻¹] is computed with the Binary method, Mult is required to be performed six times, as shown in the protocol below. It is found that the number of communication rounds is greatly reduced.

Input: [a]

Output: [a⁻¹]=[a²⁵]

1. [a²]←Mult([a], [a])

2. [a³]←Mult([a²], [a])

3. [a⁶]←Mult([a³], [a³])

4. [a¹²]←Mult([a⁶], [a⁶])

5. [a²⁴]←Mult([a¹²], [a¹²])

6. [a²⁵] ←Mult([a²⁴], [a])

7. return [a²⁵]

In a seventh specific example, the power protocol in secret computation on the field GF(3³) is applied to falsification detection. Here, a protocol that computes <a¹⁰>=([a¹⁰], [ra¹⁰]) from <a>=([a], [ra]) is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.

Input: <a>=([a], [ra]), [r]

Output: <a¹⁰>=([a¹⁰], [ra¹⁰])

1. [a⁹]:=LocalExp([a], 3²)

2. ([a¹⁰], [ra¹⁰])←DoubleMult(([a⁹], [a⁹]), ([a], [ra]))

3. return <a¹⁰>=([a¹⁰], [ra¹⁰])

In an eighth specific example, the inverse-element protocol in secret computation on the field GF(3³) is applied to falsification detection. Here, a protocol that computes <a⁻¹>=<a²⁵>=([a²⁵], [ra²⁵]), the inverse element of <a>=([a], [ra]), is shown. In the following protocol, in order to avoid computing a power of a randomized share, the multiplication of a random number is performed by Mult after local operations.

Input: <a>=([a], [ra]), [r]

Output: <a⁻¹>=<a²⁵>=([a²⁵], [ra²⁵])

1. [a⁹]:=LocalExp([a], 3²)

2. [a³]:=LocalExp([a], 3)

3. [ra³]←Mult([a³], [r])

4. ([a¹²], [ra¹²])←DoubleMult(([a⁹], [a⁹]), ([a³], [ra³]))

5. ([a²⁴], [ra²⁴])←DoubleMult(([a¹²], [a¹²]), ([a¹²], [ra¹²]))

6. ([a²⁵], [ra²⁵])←DoubleMult(([a²⁴], [a²⁴]), ([a], [ra]))

7. return <a²⁵>=([a²⁵], [ra²⁵])

According to secret computation technology of the present invention, the following formula on the extended field is used to locally compute the power of a power of a characteristic, reducing the number of communication rounds used in the entire power computation. Therefore, a power can be computed at high speed while data is concealed. By applying this technology, inverse-element computation that uses a power can be executed at high speed.

$a^{p^{u}} = {\left( {\sum\limits_{i = 0}^{m - 1}a_{i}} \right)^{p^{u}} = {a_{0}^{p^{u}} + \ldots + a_{m - 1}^{p^{u}}}}$

Embodiments of the present invention have been described above. However, a specific configuration of the present invention is not limited to those in the above described embodiments. Even if a design change is made to the above embodiments, if necessary, without departing from the scope of the present invention, it is needless to say that those changes are included in the present invention. Each type of processing described in the above embodiments may be executed not only time sequentially according to the order of description but also in parallel or individually when necessary or according to the processing capabilities of the apparatuses that execute the processing.

Program and Recording Medium

When various types of processing functions in each apparatus, described in the embodiments, are implemented by a computer, the processing details of the functions that should be provided by each apparatus are described in a program. When the program is executed by the computer, the processing functions in each apparatus are implemented on the computer.

The program containing the processing details can be recorded in a computer-readable recording medium. The computer-readable recording medium can be any type of medium, such as a magnetic recording device, an optical disc, a magneto-optical recording medium, or a semiconductor memory.

This program is distributed by selling, transferring, or lending a portable recording medium, such as a DVD or a CD-ROM, with the program recorded on it, for example. The program may also be distributed by storing the program in a storage of a server computer and transferring the program from the server computer to another computer through the network.

A computer that executes this type of program first stores the program recorded on the portable recording medium or the program transferred from the server computer in its storage, for example. Then, the computer reads the program stored in its storage and executes processing in accordance with the read program. In a different program execution form, the computer may read the program directly from the portable recording medium and execute processing in accordance with the program, or the computer may execute processing in accordance with the program each time the computer receives the program transferred from the server computer. Alternatively, the above-described processing may be executed by a so-called application service provider (ASP) service, in which the processing functions are implemented just by giving program execution instructions and obtaining the results without transferring the program from the server computer to the computer. The program of this form includes information that is provided for use in processing by the computer and is treated correspondingly as a program (something that is not a direct instruction to the computer but is data or the like that has characteristics that determine the processing executed by the computer).

In the description given above, the apparatuses are implemented by executing the predetermined programs on the computer, but at least a part of the processing details may be implemented by hardware. 

1. A secret computation method in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation method computing a share [a^(ν)] of the ν-th power of data a from a share [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses, the secret computation method comprising: computing the p^(u)-th power of a share [a^(t)] of the t-th power of data a in a local operation unit of one of the three or more secret computation apparatuses without communication with the other secret computation apparatuses; and obtaining the share [a^(ν)] in a secret computation unit of the one of the three or more secret computation apparatuses by computing a multiplication in which at least one of the multiplicands is [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, using secret computation that requires communication with the other secret computation apparatuses.
 2. A secret computation method in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), r is a random number that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, <a>:=([a], [ra]) is a randomized shared value of data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation method computing a randomized shared value <a^(ν)>:=([a^(ν)], [ra^(ν)]) of the ν-th power of data a from a randomized shared value [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses, the secret computation method comprising: computing the p^(u)-th power of a share [a^(t)] of the t-th power of data a in a local operation unit of one of the three or more secret computation apparatuses without communication with the other secret computation apparatuses; obtaining a randomized shared value <a^((t*p{circumflex over ( )}u))>:=([a^((t*p{circumflex over ( )}u))], [ra^((t*p{circumflex over ( )}u))]) of the computation result of the local operation unit in a randomizing unit of the one of the three or more secret computation apparatuses by multiplying [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, with a share [r] of the random number r using secret computation that requires communication with the other secret computation apparatuses; and obtaining the randomized shared value <a^(ν)> in a secret computation unit of the one of the three or more secret computation apparatuses by computing a multiplication in which at least one of the multiplicands is a randomized shared value <a^((t*p{circumflex over ( )}u))> of the computation result of the local operation unit using secret computation that requires communication with the other secret computation apparatuses.
 3. A secret computation system in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation system comprising three or more secret computation apparatuses to compute a share [a^(ν)] of the ν-th power of data a from a share [a] of data a while data a is concealed, each of the secret computation apparatuses comprising processing circuitry configured to: compute the p^(u)-th power of a share [a^(t)] of the t-th power of data a without communication with the other secret computation apparatuses; and obtain the share [a^(ν)] by computing a multiplication in which at least one of the multiplicands is [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, using secret computation that requires communication with the other secret computation apparatuses.
 4. A secret computation system in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), r is a random number that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, <a>:=([a], [ra]) is a randomized shared value of data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation system comprising three or more secret computation apparatuses to compute a randomized shared value <a^(ν)>:=([a^(ν)], [ra^(ν)]) of the ν-th power of data a from a randomized shared value [a] of data a while data a is concealed, each of the secret computation apparatuses comprising processing circuitry configured to: compute the p^(u)-th power of a share [a^(t)] of the t-th power of data a without communication with the other secret computation apparatuses; obtain a randomized shared value <a^((t*p{circumflex over ( )}u))>:=([a^((t*p{circumflex over ( )}u))], [ra^((t*p{circumflex over ( )}u))]) of the computation result of the local operation unit by multiplying [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, with a share [r] of the random number r using secret computation that requires communication with the other secret computation apparatuses; and obtain the randomized shared value <a^(ν)> by computing a multiplication in which at least one of the multiplicands is a randomized shared value <a^((t*p{circumflex over ( )}u))> of the computation result of the local operation unit using secret computation that requires communication with the other secret computation apparatuses.
 5. A secret computation apparatus included in a secret computation system in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation system computing a share [a^(ν)] of the ν-th power of data a from a share [a] of data a while data a is concealed, the secret computation apparatus comprising processing circuitry configured to: compute the p^(u)-th power of a share [a^(t)] of the t-th power of data a without communication with another secret computation apparatus; and obtain the share [a^(ν)] by computing a multiplication in which at least one of the multiplicands is [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, using secret computation that requires communication with another secret computation apparatus.
 6. A secret computation apparatus included in a secret computation system in which GF(p^(k)) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(p^(k)), r is a random number that is an element of the extended field GF(p^(k)), [a] is a share obtained by applying additive secret sharing to data a, <a>:=([a], [ra]) is a randomized shared value of data a, ν is an integer equal to or larger than 2, and u and t are integers equal to or larger than 1 and satisfy t*p^(u)≤ν, the secret computation system computing a randomized shared value <a^(ν)>:=([a^(ν)], [ra^(ν)]) of the ν-th power of data a from a randomized shared value [a] of data a while data a is concealed, the secret computation apparatus comprising processing circuitry configured to: compute the p^(u)-th power of a share [a^(t)] of the t-th power of data a without communication with another secret computation apparatus; obtain a randomized shared value <a^((t*p{circumflex over ( )}u))>:=([a^((t*p{circumflex over ( )}u))], [ra^((t*p{circumflex over ( )}u))]) of the computation result of the local operation unit by multiply [a^((t*p{circumflex over ( )}u))], the computation result of the local operation unit, with a share [r] of the random number r using secret computation that requires communication with another secret computation apparatus; and obtain the randomized shared value <a^(ν)> by computing a multiplication in which at least one of the multiplicands is a randomized shared value <a^((t*p{circumflex over ( )}u))> of the computation result of the local operation unit using secret computation that requires communication with another secret computation apparatus.
 7. A program for causing a computer to function as the secret computation apparatus according to one of claims 5 and
 6. 